"you may not have the appropriate permission to access

Now open a new notepad file.
Input this into the notepad file:

FCopy::
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll | c:\windows\system32\eventlog.dll

File::
C:\exploser.exe

Folder::
C:\autorunsc
C:\autoruns

FileLook::
c:\windows\explorer.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Here it is - 2 bits again
Note "C:\exploser.exe" - this was the renamed explorer.exe file I put on in the early stages to get access to the drives - did it get infected?
When combo fix started - it reported a later version was available. I didn't download it as I wasn't sure of the possible results if I didn't rename it as Combo-Fix (the textfile had already been dropped in.

ComboFix 09-09-07.03 - Emma Thomson 08/09/2009 16:47.2.1 - NTFSx86
Running from: f:\malware tools\Combo-Fix.exe
Command switches used :: f:\malware tools\CFScript.txt
* Created a new restore point

FILE ::
"C:\exploser.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autoruns
c:\autoruns\arun.pif
c:\autoruns\autoruns.chm
c:\autoruns\autoruns.exe
c:\autoruns\Autoruns.zip
c:\autoruns\autorunsc.exe
C:\autorunsc
C:\exploser.exe

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-08 15:48 . 2009-09-08 15:48 -------- d-----w- c:\windows\LastGood
2009-09-08 15:47 . 2004-08-04 00:56 55808 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-09-08 15:47 . 2004-08-04 00:56 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-09-07 12:49 . 2009-09-07 12:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-09-07 09:37 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-07 09:37 . 2009-09-07 21:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-07 09:37 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 12:49 . 2007-06-13 10:23 1033216 -c--a-w- c:\windows\system32\dllcache\explorer.exe
2009-09-03 12:49 . 2007-06-13 10:23 1033216 ------w- c:\windows\explorer.exe
2009-09-01 15:34 . 2009-09-01 15:42 -------- d--h--w- c:\windows\PIF
2009-09-01 14:33 . 2009-09-01 14:33 25424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 12:26 . 2009-09-01 12:26 -------- d-----w- c:\documents and settings\Papa\Local Settings\Application Data\Apple Computer
2009-09-01 12:26 . 2009-09-01 12:26 -------- d-----w- c:\documents and settings\Papa\Local Settings\Application Data\Conduit
2009-09-01 12:26 . 2009-09-01 12:26 -------- d-----w- c:\documents and settings\Papa\Application Data\Yahoo!
2009-08-29 19:13 . 2009-08-29 19:13 -------- d-----w- c:\documents and settings\Jack\Local Settings\Application Data\Conduit
2009-08-29 19:11 . 2009-08-29 19:11 -------- d-----w- c:\documents and settings\Jack\Application Data\Yahoo!
2009-08-23 14:51 . 2009-08-23 14:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-12 18:41 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 13:00 . 2005-04-20 14:39 -------- d-----w- c:\program files\Yahoo!
2009-09-07 12:53 . 2005-07-07 13:58 -------- d--h--r- c:\documents and settings\All Users\Application Data\yahoo!
2009-09-07 12:45 . 2006-06-19 20:35 -------- d-----w- c:\program files\WildGames
2009-09-02 18:20 . 2008-11-10 18:20 -------- d-----w- c:\program files\MeBigBoot
2009-09-01 17:35 . 2009-06-04 12:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-01 15:36 . 2008-11-11 10:52 -------- d-----w- c:\program files\Spyware Doctor
2009-08-25 17:14 . 2006-06-12 12:01 -------- d-----w- c:\program files\Diner Dash 2
2009-08-25 17:13 . 2006-04-16 19:27 -------- d-----w- c:\program files\PlayFirst
2009-08-25 17:11 . 2007-09-20 19:00 -------- d-----w- c:\program files\DeliciousDeluxe2_at
2009-08-25 17:09 . 2005-11-05 21:10 -------- d-----w- c:\program files\Yahoo! Games
2009-08-25 17:08 . 2006-05-16 16:01 -------- d-----w- c:\documents and settings\Emma Thomson\Application Data\PlayFirst
2009-08-25 17:08 . 2006-05-16 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-08-25 17:07 . 2006-07-30 18:34 -------- d-----w- c:\program files\GameHouse
2009-08-25 17:05 . 2006-04-30 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-08-25 17:04 . 2007-09-05 15:48 -------- d-----w- c:\program files\BurgerIsland_at
2009-08-25 10:36 . 2007-09-11 20:25 -------- d-----w- c:\program files\BellesBeautyBoutique_at
2009-08-18 15:35 . 2004-12-26 12:42 25424 ----a-w- c:\documents and settings\Emma Thomson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 12:41 . 2009-08-09 12:41 -------- d-----w- c:\program files\MSBuild
2009-08-09 12:40 . 2009-08-09 12:40 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 12:24 . 2009-08-09 12:24 -------- d-----w- c:\program files\MSXML 6.0
2009-08-05 09:11 . 2002-12-11 23:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 15:03 . 2009-02-27 22:04 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-01 10:32 . 2007-04-23 01:39 -------- d-----w- c:\program files\LimeWire
2009-08-01 10:27 . 2009-08-01 10:29 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-01 10:27 . 2007-04-23 01:40 -------- d-----w- c:\program files\Java
2009-07-24 16:02 . 2005-03-16 10:41 25424 ----a-w- c:\documents and settings\archie thomson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 18:55 . 2004-10-01 06:51 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 17:20 . 2009-07-15 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-15 17:15 . 2009-06-04 12:44 -------- d-----w- c:\program files\Norton Security Scan
2009-07-15 17:08 . 2009-07-15 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-15 17:07 . 2009-07-15 17:07 -------- d-----w- c:\program files\NortonInstaller
2009-07-15 17:07 . 2009-07-15 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-13 22:43 . 2004-12-26 12:33 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 18:00 . 2007-09-05 15:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 16:12 . 2004-02-06 18:05 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-12-26 12:33 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-10-01 06:51 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:44 . 2004-10-01 06:52 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-10-01 06:52 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-10-01 06:52 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-10-01 06:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2004-10-01 06:52 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-10-01 06:52 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:34 . 2004-10-01 06:52 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2004-10-01 06:52 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-10-01 06:52 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-10-01 06:52 76288 ----a-w- c:\windows\system32\telnet.exe
2005-11-04 18:17 . 2005-11-04 18:17 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-09-05 17:00 . 2006-07-30 18:34 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\explorer.exe ---
Company: Microsoft Corporation
File Description: Windows Explorer
File Version: 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)
Product Name: Microsoft Windows Operating System
Copyright: Microsoft Corporation. All rights reserved.
Original Filename: EXPLORER.EXE
File size: 1033216
Created time: 2009-09-03 12:49
Modified time: 2007-06-13 10:23
MD5: 97BD6515465659FF8F3B7BE375B2EA87
SHA1: 972307A3EF93680AFDD03603DF20F2241047A934

2nd bit

((((((((((((((((((((((((((((( SnapShot@2009-09-08_09.43.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-08 15:48 . 2008-04-14 00:11 56320 c:\windows\LastGood\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2008-10-08 173368]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7f312b9a-208b-49fa-8218-b9aa22ec1463}]
2009-06-13 18:15 2094616 ----a-w- c:\program files\bigmaq\tbbig1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-10-08 12:22 1172792 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]
"{7f312b9a-208b-49fa-8218-b9aa22ec1463}"= "c:\program files\BigMAQ\tbbig1.dll" [2009-06-13 2094616]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CLASSES_ROOT\clsid\{7f312b9a-208b-49fa-8218-b9aa22ec1463}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-07-01 118784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928]
"EPSON Stylus C46 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE" [2004-01-14 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-01 136600]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2009-01-13 111928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-04-28 66048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
broadband medic.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe [2005-3-5 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McShield"=3 (0x3)
"AvSynMgr"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\naifsrec.sys [30/04/2001 05:51 4512]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [25/01/2009 21:05 33752]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [30/07/2006 19:34 29744]
S3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\naifiltr.sys [26/11/2001 17:51 23856]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [03/01/2006 14:44 11264]
S4 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [26/11/2001 17:51 155665]
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-08-28 c:\windows\Tasks\Norton Security Scan for Emma Thomson.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-15 17:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchURL = hxxp://www.google.com/
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Emma Thomson\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37490.cab
FF - ProfilePath - c:\documents and settings\Emma Thomson\Application Data\Mozilla\Firefox\Profiles\8bjgg2hx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Emma Thomson\Application Data\Mozilla\Firefox\Profiles\8bjgg2hx.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 17:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2647683160-1587660973-2963474672-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-09-08 17:07
ComboFix-quarantined-files.txt 2009-09-08 16:05
ComboFix2.txt 2009-09-08 09:54

Pre-Run: 46,794,747,904 bytes free
Post-Run: 46,753,931,264 bytes free

227 --- E O F --- 2009-09-08 07:44

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Hi Belahzur
Everything seems OK now but I'll know better after grandlings have been using it. I've changed all passwords and revoked admin rights on their accounts and I'll install new a-v/a-mw software. Now I'd better check my own PC & laptop after doing all that file swapping. Thanks for all your help and I hope the sun is shining wherever you are. If you find out who wriites this stuff, I'd be pleased to meet them to personally explain the error of their ways if you know what I mean.

Best wishes from

deecee

Heh, UK, and yes, it's been sunny here today.